1. Field of the Invention
The present invention relates in general to a cryptographic system and method for encrypting input data.
2. Description of the Related Art
In general, a public key cryptographic system may be implemented based on theoretical security using prime factorization or discrete algebra. For example, public key cryptographic systems may employ schemes using an encryption key that is typically difficult to be factorized. Example schemes using a certain encryption key that is difficult to solve using discrete algebra include the Rivest-Shamir-Adelman (RSA) scheme, the Diffie-Hellman scheme, ElGamal scheme, etc. Since public key cryptographic systems handling these mathematical difficulties perform an operation with bit numbers greater than 512 bits, the prior art cryptographic systems using such schemes typical may have what is referred to as a repeated-round structure.
Recently, block cryptographic systems, which have a repeated-round structure, have been used, where a round may be understood as a given encryption processing iteration for data to be encrypted. A block cryptographic system is a non-public key (symmetric key) cryptographic system which encrypts data by dividing the data into blocks of a given size. After generating a plurality of sub-round keys using a given encryption key, the block cryptographic system with repeated-round structure repeatedly encrypts data using each of the sub-round keys.
Block cryptographic systems may be implemented using a given encryption algorithm. Generally used encryption algorithms may be defined by known encryption standards, for example. Typical block encryption algorithms include the data encryption standard (DES), used in the United States, the international data encryption algorithm (IDEA) used in Europe, the SEED used in Korea, etc. All standardized encryption algorithms are published, and users may implement encryptions systems using the encryption algorithms provided by these published standards.
FIG. 1 is a block diagram of a prior art cryptographic system with a repeated-round structure. The prior art cryptographic system 100 typically may include an input unit 110, a register 120, an encryption circuit 135, an output unit 150 and a round counter 160. The input unit 110 receives data to be encrypted in every round, i.e., the input unit 110 receives data to be encrypted in a first round, and in subsequent rounds receives the data that was encrypted in a previous round.
The register 120 stores the data output from the input unit 110 in response to a clock signal. In the first round, the data to be encrypted is stored in the register 120, and in the subsequent rounds, the data encrypted in a previous round is updated and stored in the register 120. The encryption circuit 135 encrypts the data stored in the register 120 using a given encryption key (KEY). The encryption circuit 135 includes a round key generating circuit 130 and an encryption function circuit 140.
The round key generating circuit 130 generates a round key (RKEY), which is used for encryption in every round, using a given KEY. The encryption function circuit 140 implements an encryption function which is part of a given encryption algorithm. The encryption function circuit 140 encrypts the data stored in the register 120 using the RKEY based on the given encryption function.
In a final round, the output unit 150 outputs the data encrypted by the encryption function circuit 140. In previous rounds, the output unit 150 transmits the data encrypted by the encryption function circuit 140 to the input unit 110. The round counter 160 counts the number of rounds performed, and transmits a count as a control signal to the input unit 110 and output unit 150. The round counter 160 may be reset in response to the encrypted data outputted by the output unit 150. The round counter 160 may start counting in response to the input of the data to be encrypted. The round counter 160 may increase the count in response to the encrypted data transmitted from the output unit 150.
As described above, the prior art public key cryptographic system is based on theoretical security using discrete algebra, prime factorization, etc. The prior art block cryptographic system implements encryption based on theoretical security such as Shannon's theory (diffusion and confusion). However, attacks have been recently developed which may threaten cryptographic systems by exploiting side information from the cryptographic systems regardless of the theoretical security that is used.
These attacks threatening cryptographic systems by exploiting side information are referred to as ‘side channel’ attacks. A side channel attack includes a timing attack which exploits an operation performing time, a power analysis attack which exploits the amount of power consumption, and a fault attack which uses an intentional fault. For example, the power analysis attack can attack a cryptographic system used for a smart card with relatively little effort and cost, and is thus a substantial potential threat to security.
The power analysis attack may be known as a simple power analysis (SPA) attack or a differential power analysis (DPA) attack, for example. The SPA attack infers secret information simply by analyzing a power signal while a cryptographic system operates. The DPA attack infers secret information by analyzing a substantial number of power signals related to the same secret key. This analysis may be done by using a statistical property.
Several technologies have been proposed for designing a cryptographic system that is secure against power analysis attacks. These technologies fundamentally include a method or process which reduces the size of a signal, inserting noise, or which employs a random clock or a random execution order, for example. However, if there are sufficient samples of power signals to be analyzed, a random component cancels out. Accordingly, the conventionally proposed technologies cannot be perfectly secure against power analysis attacks.
In another proposal, a masking technique, which is different from technologies using a random component, has been developed. In the masking technique, an internal operation is performed by masking input data with random data and then removing the mask. The masking technique has a structure which is generally secure against SPA attacks and DPA attacks. However, if the internal operation is non-linear, a complicated additional circuit is required, and masking circuits suitable for each encryption algorithm should be designed.
In addition, the power analysis attack can be used to determine a correlation with secret information by measuring the power consumption of a logic circuit, such as an S-box in a block cryptographic system. The S-box, which is a non-linear substitution function, uses an algorithm to convert input data to other data and to output the other data. However, since it is difficult practically to measure the power consumption of the S-box, the power consumption cannot be used for the power analysis attack.
On the contrary, it is easier to measure power consumption due to a switching current in the register in which data encoded every round is updated and store, rather than to measure the power consumption of the S-box. Thus, a measurement of the power consumption of the register is frequently used as a representation of a measure in changes in the power consumed by the cryptographic system.
Referring FIG. 1, the data stored in the register 120 in a previous round is updated to new encrypted data in a following round. The power analysis attack is conducted using the current, which changes as the data is updated in the register 120. Meanwhile, the switching current in a register has a high correlation with a Hamming distance of data bits. The Hamming distance indicates the number of bits of updated data which have different values than bits of the previous data. For example, if a value stored in the register is updated from 1100 to 1010, the number of bits which have different values than bits of the previous data is 2. The Hamming distance is thus 2.
Accordingly, the more bits that change values as data stored in a register is updated, the greater the increase in power consumption. In other words, as the Hamming distance increases, the power consumption increases. Since a power analysis attack involves attacking a cryptographic system using the changes in power consumed in a register, it may be desirable to maintain constant power consumption. Hence, it may be desirable to maintain the Hamming distance constant as data stored in a register is updated.